In its final Patch Tuesday update of 2024, Microsoft has addressed 71 new security vulnerabilities, including a zero-day flaw that is currently being actively exploited.
The zero-day vulnerability, documented as CVE-2024-49138, is a bug in the company’s Windows Common Log File System (CLFS). It poses a significant threat as it enables attackers to achieve system-level privileges via a heap-based buffer overflow, potentially allowing for ransomware attacks and other escalated cyber threats.
Detailed information about the specific extent or location of its exploitation has not been disclosed. CISA on Tuesday added the vulnerability to its Known Exploited Vulnerabilities list.
In tandem, Microsoft has urged immediate attention to another severe vulnerability, CVE-2024-49112, in the Windows Lightweight Directory Access Protocol (LDAP). The vulnerability carries a CVSS severity score of 9.8. This flaw can allow an attacker to execute remote code without authentication, posing a high risk to domain controllers central to network security structures. Microsoft’s advisory recommends urgent patching and isolation of LDAP services from untrusted networks to prevent potential exploits.
This month’s fixes highlight pressing threats within the Windows ecosystem, particularly the vulnerabilities enabling unauthorized access or remote code execution across critical services like Remote Desktop and Hyper-V. These patches underscore vulnerabilities that can readily be weaponized by cybercriminals aiming to exploit widely used enterprise components.
Also on Tuesday, Adobe issued patches addressing 167 vulnerabilities across its software suite, with significant updates in products like Adobe Experience Manager and Adobe Connect. None of Adobe’s patched vulnerabilities were known to be under active exploitation at the time of release.
Organizations are strongly encouraged to expedite these patches, given the severity scores and the additions to the KEV list.
You can view the full Microsoft list in the company’s Security Response Center.
The post Microsoft closes 2024 with extensive security update appeared first on CyberScoop.